diff options
| author | RATDAD <lambda@disroot.org> | 2026-03-06 02:05:52 -0500 |
|---|---|---|
| committer | RATDAD <lambda@disroot.org> | 2026-03-06 02:05:52 -0500 |
| commit | 2578d12ea47d10130472a845244e4aaac48897cb (patch) | |
| tree | 3dc5ba45a79006d549cb9e551724a6a5d19f71b4 /stacks/iam | |
| parent | 88ba319238bb4af0106bc1a83fbbb1963af88fe1 (diff) | |
| download | rd-cloud-2578d12ea47d10130472a845244e4aaac48897cb.tar.gz rd-cloud-2578d12ea47d10130472a845244e4aaac48897cb.tar.bz2 rd-cloud-2578d12ea47d10130472a845244e4aaac48897cb.zip | |
checkpoint: development state
Diffstat (limited to 'stacks/iam')
| -rw-r--r-- | stacks/iam/.gitignore | 7 | ||||
| -rw-r--r-- | stacks/iam/TODO | 1 | ||||
| -rw-r--r-- | stacks/iam/compose.yml | 63 | ||||
| -rw-r--r-- | stacks/iam/env.example | 17 | ||||
| -rw-r--r-- | stacks/iam/env.template | 17 | ||||
| -rw-r--r-- | stacks/iam/iam.env.template (renamed from stacks/iam/auth.env.example) | 0 | ||||
| -rwxr-xr-x | stacks/iam/util/gen-secrets.sh | 4 |
7 files changed, 59 insertions, 50 deletions
diff --git a/stacks/iam/.gitignore b/stacks/iam/.gitignore index 4dfeb35..6b67a59 100644 --- a/stacks/iam/.gitignore +++ b/stacks/iam/.gitignore @@ -1,7 +1,4 @@ *.env -config/ -config/* -secrets/ -secrets/* +config +secrets compose.test.yml -compose.cache.test.yml diff --git a/stacks/iam/TODO b/stacks/iam/TODO deleted file mode 100644 index dba0e14..0000000 --- a/stacks/iam/TODO +++ /dev/null @@ -1 +0,0 @@ -1. Make a script to initialize Authelia with an admin user and streamline prod setup. diff --git a/stacks/iam/compose.yml b/stacks/iam/compose.yml index af25bb9..3e516ca 100644 --- a/stacks/iam/compose.yml +++ b/stacks/iam/compose.yml @@ -1,54 +1,67 @@ -name: ${_STACK_0} +name: ${STACK} networks: - net_0: - name: ${_NET_0} + edge-net: + name: ${EDGE_NET} external: true - net_1: - name: ${_NET_1} + db-net: + name: ${DB_NET} + external: true + cache-net: volumes: - volume_0: - name: ${_VOLUME_0} + config: + name: ${IAM_CONFIG_VOLUME} external: true secrets: JWT_SECRET: - file: '/srv/secrets/auth/JWT_SECRET' + file: './srv/secrets/auth/JWT_SECRET' SESSION_SECRET: - file: '/srv/secrets/auth/SESSION_SECRET' + file: './srv/secrets/auth/SESSION_SECRET' STORAGE_ENCRYPTION: - file: '/srv/secrets/auth/STORAGE_ENCRYPTION' + file: './srv/secrets/auth/STORAGE_ENCRYPTION' OIDC_HMAC_SECRET: - file: '/srv/secrets/auth/OIDC_HMAC_SECRET' + file: './srv/secrets/auth/OIDC_HMAC_SECRET' + POSTGRES_PASSWORD: + file: './srv/secrets/auth/POSTGRES_PASSWORD' services: - auth: - container_name: ${_CONTAINER_0} + auth-test: + container_name: ${IAM_CONTAINER} image: authelia/authelia:latest restart: unless-stopped - secrets: ['JWT_SECRET', 'SESSION_SECRET', 'STORAGE_ENCRYPTION', 'OIDC_HMAC_SECRET'] + secrets: ['JWT_SECRET', 'SESSION_SECRET', 'STORAGE_ENCRYPTION', 'OIDC_HMAC_SECRET', 'POSTGRES_PASSWORD'] + environment: + AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: '/run/secrets/JWT_SECRET' + AUTHELIA_SESSION_SECRET_FILE: '/run/secrets/SESSION_SECRET' + AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/run/secrets/STORAGE_ENCRYPTION' + AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE: '/run/secrets/OIDC_HMAC_SECRET' + AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: '/run/secrets/POSTGRES_PASSWORD' + X_AUTHELIA_CONFIG_FILTERS: 'template' env_file: - - .auth.env # Runtime Vars + - .run.env # Runtime Vars - .env # Stack Vars + user: "${UID}:${GID}" volumes: - - volume_0:/config/db - - /srv/secrets/auth/configuration.yml:/config/configuration.yml - - /srv/secrets/auth/users.yml:/config/users.yml - - /srv/secrets/auth/jwks/oidc-jwk.pem:/config/jwks/oidc-jwk.pem - - /srv/secrets/auth/jwks/oidc-jwk-pub.pem:/config/jwks/oidc-jwk-pub.pem + - config:/config + - ${CONFIG_FILE}:/config/configuration.yml + - ${USERS_FILE}:/config/users.yml + - ${JWK_PRIV_KEY}:/config/jwks/oidc-jwk.pem + - ${JWK_PUBL_KEY}:/config/jwks/oidc-jwk-pub.pem networks: - - net_0 - - net_1 + - edge-net + - db-net + - cache-net expose: - 9091 - auth-cache: - container_name: ${_CONTAINER_1} + auth-cache-test: + container_name: ${IAM_CACHE_CONTAINER} image: redis:latest restart: unless-stopped env_file: - .env networks: - - net_1 + - cache-net expose: - 6379 diff --git a/stacks/iam/env.example b/stacks/iam/env.example deleted file mode 100644 index 913a774..0000000 --- a/stacks/iam/env.example +++ /dev/null @@ -1,17 +0,0 @@ -# -# -# Stack Compose Variables - -# Namespace -_STACK_0= - -# Containers -_CONTAINER_0= -_CONTAINER_1= - -# Network -_NET_0= -_NET_1= - -# Volumes -_VOLUME_0= diff --git a/stacks/iam/env.template b/stacks/iam/env.template new file mode 100644 index 0000000..b6a023e --- /dev/null +++ b/stacks/iam/env.template @@ -0,0 +1,17 @@ +# +# +# Stack Compose Variables + +# Namespace +STACK= + +# Containers +IAM_CONTAINER= +IAM_CACHE_CONTAINER= + +# Network +EDGE_NET= +DB_NET= + +# Volumes +IAM_CONFIG_VOLUME= diff --git a/stacks/iam/auth.env.example b/stacks/iam/iam.env.template index b5275ab..b5275ab 100644 --- a/stacks/iam/auth.env.example +++ b/stacks/iam/iam.env.template diff --git a/stacks/iam/util/gen-secrets.sh b/stacks/iam/util/gen-secrets.sh index 832f5d8..8ebec55 100755 --- a/stacks/iam/util/gen-secrets.sh +++ b/stacks/iam/util/gen-secrets.sh @@ -1,6 +1,6 @@ #!/bin/bash -USERS=(RATDAD) +USERS=(ADMIN) SECRETS=(SESSION_SECRET STORAGE_ENCRYPTION JWT_SECRET OIDC_HMAC_SECRET) SECRET_DIR=$PWD/secrets @@ -13,7 +13,7 @@ for filename in "${SECRETS[@]}"; do fi done -# Generate admin passwords +# Generate admin password for filename in "${USERS[@]}"; do if [ ! -f "$SECRET_DIR"/"$filename" ]; then openssl rand -hex 12 > "$SECRET_DIR"/"$filename" |